Skip to content

Office account hack is fixed, but Microsoft took too long to do it

An embarrassingly simple security breach in Microsoft account logins (including Office 365) has been fixed but it took Microsoft way too long to do anything.

It was possible for someone to take over the logins of Microsoft account users to get login details including passwords. There’s over 400 million Microsoft accounts including anyone with Office 365.

The problem has been fixed, there’s no risk to Microsoft account or Office 365 users.  But it was lucky that Sahad Nk found the bug first, not a criminal hacker.

We’ll explain how Microsoft dropped the ball in a moment – it’s absurdly simple and makes us wonder about if Microsoft’s talk about security is at all sincere.

Security fix took too long

Microsoft were told about this problem in June 2018 but took over FOUR months before finally fixing it in November!

Quote from

There’s no excuse for it taking that long.  Some security bugs need time to trace, fix and test – but this wasn’t one of them.

The core problem (the DNS record for a Microsoft sub-domain) could have been fixed in four minutes … let alone four months.   The rest of the coding bugs (using wildcard domain mapping) should have been fixed in much less time too.

About the Microsoft account security bug

It started with a Microsoft sub-domain .  Microsoft owns and uses various sub-domains for its services. was being used by a Microsoft app as the site to connect into Microsoft’s Azure services.  The app was dropped but the sub-domain was left live and unguarded.

Sahad Nk successfully hijacked to a web site he controlled.  That site could collect any information sent to it and that includes the login token that authenticates a Microsoft account.

That was Microsoft’s core error.  They failed to properly secure one of their own domains.

When you login with a Microsoft account, all logins are approved by a single domain which allows redirection to an approved site like, or and, crucially, sub-domains.

The redirection happens with an oAuth token passed along which identifies the user and verifies that the login is OK. That token can be misused in the wrong hands.

A hacker could make a link like this with the ‘wreply’ pointing to :

A non-working link so don’t bother trying it!

Microsoft account logins should only redirect (wreply) to approved domains.  It seems that Microsoft took the easy option and allowed redirects to any sub-domain (eg  * instead of specifying which sub-domains are safe.

Since was controlled by someone outside Microsoft, a customer authorizing token could be sent to a hacker.  The hacker uses that token to access customers account, email, OneDrive documents and more.

Microsoft’s second error was allowing a redirect to an insecure sub-domain either because they didn’t remove from the approved ‘wreply’ list or had a ‘lazy’ wildcard instead.

For a lot more detail see

Good guys got there first…

Thankfully, the bug was reported to Microsoft first.  But the long delay before fixing this serious but easily fixable security lapse calls into question Microsoft real interest in customer security and privacy.  This bug, reported in July 2018, should have been fixed.

Maybe Microsoft fixed the problem more quickly? If so, why wait so long before going public?  Delaying the announcement just makes Microsoft look bad.

About this author

Office Watch is the independent source of Microsoft Office news, tips and help since 1996. Don't miss our famous free newsletter.